The process is a simple, yet extremely dangerous, identity fraud scheme that even the phone companies like Verizon have fallen prey to. First, they randomly call your number using a phishing scam (What is Phishing?). Then they call your phone company and claim they lost their phone and need it reinstated. With a little social engineering and phishing, they can tell your company your social security number or other personal information thus getting the SIM ID card number ported to their phone and disabling yours. With your SIM card secured, they can bypass any Dual Factor Authentication used for security. This is what led to the recent Reddit hack as some of the administrators had used their cell phones to activate their accounts. Hackers were able to use the administrator access to compromise various emails.
While the number of frauds is small, it is growing at a fast rate. In 2013, there were 1,013 reported cases according to the FTC, representing 3.2 percent of ID fraud. By 2016, it has nearly doubled. According to Emma Mohan-Satta, a security expert at Kaspersky, “A high proportion of banking customers now have mobile phone numbers linked with their accounts, and so this attack is becoming common in some regions where this attack was not previously so common. Unlike mobile malware, SIM fraud attacks are usually aimed at profitable victims that have been specifically targeted through successful social engineering.”1 Though it’s hard to detect from a customer perspective, some banks can detect it. For example, they have alerts on accounts if a fraudulent transaction occurs. Knowing their customer can also raise alarm bells if their behavior suddenly changes.
As with any fraudulent activities, keeping a vigilant eye on your data and your phone’s security. If your using your phone as a DFA, be wary of where you use it and consider a second way of using such security measures in case your phone is compromised. For more information about insuring this type of risk, Click Here.
1https://www.digitaltrends.com/mobile/sim-swap-fraud-explained/